Appearance
Skill: recon-target
Rendered verbatim from
apps/mcp-server/skills/recon-target/SKILL.md— this is exactly what the agent runs on.
Recon a target
A "target" is a program (optionally narrowed to a scope). Assets attach to a program through its scopes.
Order of operations
- Find the target.
list_programs(filter bysearch/platformName) to get theprogramId. Skip if you already have it. - Map it cheaply.
get_target_overviewwith theprogramId— returns program metadata, scopes, and per-type asset counts. Read the counts before pulling rows. - Drill in, paged. Use the counts to decide what to pull. Every list tool takes
programId(and optionalscopeId/platformName) pluspage/limit. Never pull thousands of rows blindly — page and filter.
What each asset type tells you
list_http_paths— richest signal. Each row hasstatusCode,length,tool, and the pathvalue. Filter to a domain withdomainId. Live 200s / unusual lengths are your first hunting ground.list_ports— open ports withservice(http/https/null). UseipAddressIdto focus one host.list_domains/list_ip_addresses— the surface; join domains→IPs→ports→paths.list_technologies(+get_http_path_technologies/get_port_technologies) — fingerprints; pivot to known-vuln tech.list_mobiles/list_wildcards/list_cidrs— mobile apps and scope boundaries.
Discipline
- Respect scope: only assets under the target's scopes are in-bounds.
- Prefer
updatedAfterto focus on recently-changed assets when re-checking a target. - If you need the full picture, page each type rather than requesting huge
limits.
Next: to go beyond what's already scanned, author a scan workflow →.